In recent years, portable terminals such as a smartphone and the like have been popularized and carried as private information processing terminals. In the meantime, portable terminals have been utilized also as information processing terminals for business use, and some enterprises supply portable terminals as those for business purposes. Accordingly, employees often carry two terminals for private and business use, and desire to use his or her private terminal also for business use. However, to use one terminal for both private and business use, ensuring security of the terminal is important.
To make a private terminal available for business use while ensuring the security of the terminal, a method of integrating a private virtual machine (VM) and a business VM into one terminal by using a virtualization technique is known. With this method, operation environments of the private VM and the business VM are separated, and an operation environment of a business application program is constructed unchanged in the business VM, thereby ensuring security of business data. In the following description, an application program is simply referred to as an application or an AP in some cases.
Also a technique of memory protection between a guest operating system (OS) and an application in a VM that employs a microprocessor having two privilege levels is known. With this technique, a memory management unit switches between a memory protection table for the guest OS and that for the application, and references the switched table, so that an access from the application to a memory area of the guest OS can be restricted.
Also a technique of enabling protection information to be set with a fine grain also for data an address of which is not decided in advance in a memory management device is known. With this technique, information of access prohibition is set in an address translation table used to translate from a virtual address into a physical address, and a fault is caused to occur when an access is made to an area of the virtual address. Then, whether or not an access from an address currently being executed is permitted is determined when a fault occurs, so that the data is protected.
Patent Document 1: Japanese Laid-open Patent Publication No. 2007-004661
Patent Document 2: Japanese Laid-open Patent Publication No. 2006-155516